Thanks to jggimi I have working VPN setup between my home network and a remote network. I now want to connect with another site from home and would like to know if my ipsec.conf and pf.conf files are setup correctly when I add the new VPN. My question is this, for the second VPN do still use "ike esp" and "enc" or do those have to be change to something different to denote a different VPN and change the pf.conf accordingly. Below are my ipsec.conf and pf.conf files, masked accordingly. Are they correct for the two VPN's I'd like to setup?

I restarted my firewall after adding the entries for A&C. Do I need to reboot for the changes to take affect in ipsec.conf or is there a way to restart that? After editing ipsec.conf I ran this and got this output but A&C won't connect.

The error message is telling you that isakmpd is not running. The .fifo file is a command channel.

Check for isakmpd error messages in /var/log/daemon. You can add the -v option to produce more detailed output, and if you want you can run it with -d so that it does not daemonize, and produces its output in the shell.

Well I've Googled myself to death but can't seem to solve this one. The two VPN's I setup won't allow me to share PC or server resources. I can ping, connect, install and print to all the remoter IP printers, I can ping and login to all the remote network gear (routers & WAP's) but I can't ping or connect to servers and PC's. The servers and PC's are all Windows. Windows 7 on the PC's and Windows Server on the servers

The VPN between B&C has full access to each others resources but between A&B and A&C no access to servers and PC's. It would appear the problem lies somewhere in my OpenBSD box but I can't figure it out. Can anyone point me in the right direction as to what I'm doing wrong?

My approach would be to use tcpdump(8) on the OpenBSD box in verbose mode. That will display a lot of information about the VPN packets, which encryption methods are available and which one is actually chosen.

In case it would be a routing issue, you also will be able to see which side does not send a reply.

With a default policy of block log all and/or enabling logging of the rules allowing the VPN traffic you could watch the pflog device with tcpdump to make sure the firewall ruleset is not dropping VPN packets.

By wiretapping with tcpdump(8) you also can verify whether DNS is working within the VPN. (In case you are using that )

__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

I'm going to take a wild guess that IP forwarding may not be enabled; since the symptom could indicate that and forwarding is disabled by default. See FAQ 6.2.7.

Once that's confirmed, follow J65nko's advice regarding testing PF rules. You may need to deploy pass rules in pf.conf for the traffic you wish to enable. You're passing ESP packets for the VPN and UDP for key management, but not passing any underlying traffic between the interconnected networks. That may be the reason for the communication failure.

Last edited by jggimi; 7th April 2014 at 10:56 AM.
Reason: typo, clarity